question

Mr.Wizard avatar image
0 Likes"
Mr.Wizard asked

TCP Split Handshake

Hi, we had an alert generated by our Fortigate 80E ver7.2 that there was TCP.Split.Handshake event. The source IP was local and was traced to an Android cell phone of a senior staff member. The remote IP was the IP address of the Home Internet connection of the owner of the cell phone!

There were 3 alerts within 5 minutes and then nothing for 24hrs. How serious is this? Is it possible that it's a false positive or a transient erorr? Do we erase the cell phone and the Home Computer & Router?

Thanks for any advice.

security
10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

·
Elmer avatar image
0 Likes"
Elmer answered

Hi Mr.Wizard. You can find more details on the threat here: https://www.fortiguard.com/encyclopedia/ips/26339


Following the link in the FortiGuard post (https://www.macrothink.org/) a split handshake can be a valid way of establishing a session, however it is very uncommon and could possibly be used for nefarious reasons.


To better evaluate the issue, you may investigate the source of this connection on the phone and/or the user's home network.


Regards,

10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space